Open-source file-sharing and collaboration software program ownCloud is stricken by important vulnerabilities that would result in the publicity of credentials and different delicate info and to authentication and validation bypass.
Probably the most critical problem, which carries a CVSS rating of 10/10, impacts the graphapi app, which makes use of a third-party library offering a URL that, when accessed, reveals the PHP atmosphere’s configuration particulars (phpinfo).
“This info consists of all of the atmosphere variables of the webserver. In containerized deployments, these atmosphere variables could embrace delicate knowledge such because the ownCloud admin password, mail server credentials, and license key,” ownCloud warned in an advisory.
Further delicate knowledge included in phpinfo could permit an attacker to collect additional details about the system and the variable needs to be regarding for all directors if ownCloud will not be operating in a containerized atmosphere.
“It’s essential to emphasise that merely disabling the graphapi app doesn’t eradicate the vulnerability,” ownCloud notes. The difficulty impacts graphapi variations 0.2.0 to 0.3.0.
Directors are suggested to alter the ownCloud admin password, the Object-Retailer/S3 access-key, and credentials for the mail server and database. “Moreover, we disabled the phpinfo operate in our docker-containers. We are going to apply numerous hardenings in future core releases to mitigate comparable vulnerabilities,” ownCloud added.
A second vulnerability, tagged with a CVSS severity rating of 9.8/10, is described as an authentication bypass within the WebDAV API, by means of pre-signed URLs.
“It’s doable to entry, modify or delete any file with out authentication if the username of the sufferer is understood and the sufferer has no signing-key configured (which is the default),” ownCloud defined.
The bug impacts ownCloud core variations 10.6.0 to 10.13.0 and may be mitigated by denying the usage of pre-signed URLs if there isn’t a signing key configured for the file proprietor.
A 3rd bug (CVSS rating of 9/10), impacting the oauth2 app variations previous to 0.6.1, may result in the bypass of subdomain validation.
“Inside the oauth2 app an attacker is ready to move in a specifically crafted redirect-URL which bypasses the validation code and thus permits the attacker to redirect callbacks to a TLD managed by the attacker,” ownCloud stated.
